Dependabot enforcing engine-strict but with an old npm on Action Runners in last few days

[broksonic21]

Is there an existing issue for this?

• [X] I have searched the existing issues

Package ecosystem

npm

Package manager version

9

Language version

22

Manifest location and content before the Dependabot update

package.json:

    "engines": {
        "node": ">=20",
        "npm": ">=9"
      },

with .npmrc:

engine-strict=true

see

https://github.com/broksonic21/dependabot-engine

dependabot.yml content

https://github.com/broksonic21/dependabot-engine/blob/main/.github/dependabot.yml

Updated dependency

No response

What you expected to see, versus what you actually saw

In the last day or so, this started happening from dependabot and fails to run at all - silently, unless you look at the dependabot UI. Note: this only happens with dependabot on github action runners - i wasn't able to repro this if I turn off github action runners.

See: https://github.com/broksonic21/dependabot-engine/network/updates/920658676

Note: the error message says NPM 10.8.2. But the logs say you are running npm 8.19.4

We required npm 9 and above -> and all of a sudden all our dependabot runs fail to run.

Can this get fixed up (both the messaging, and the fact that you are running on an old version)

Dependabot can't resolve your JavaScript dependency files
Dependabot failed to update your dependencies because there was an error resolving your JavaScript dependency files.

Dependabot encountered the following error:

Dependabot uses Node.js v20.18.0 and NPM 10.8.2. Due to the engine-strict setting, the update will not succeed.

Logs show:

npm ERR! code EBADENGINE
npm ERR! engine Unsupported engine
npm ERR! engine Not compatible with your version of node/npm: PACKAGEOBFUSCATED
npm ERR! notsup Not compatible with your version of node/npm: PACKAGEOBFUSCATED
npm ERR! notsup Required: {"node":">=20","npm":">=9"}
npm ERR! notsup Actual:   {"npm":"8.19.4","node":"v20.18.1"}

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

https://github.com/broksonic21/dependabot-engine/network/updates/920658676

Smallest manifest that reproduces the issue

No response

[broksonic21]

Looking at our logs

Was fine on

ghcr.io/dependabot/dependabot-updater-npm:4aba3e3be780a68c1d948d2daf365c2a71e69b2b

ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20241004183849@sha256:5e895b5edfaba72e99d0a19b43f386b18b65fc08a2d43af5aedd6360cda56842

Failing on

ghcr.io/dependabot/dependabot-updater-npm:5c6c676dd9a1055774bc95c4a4d2f38513f1ac50.

ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20241004183849@sha256:5e895b5edfaba72e99d0a19b43f386b18b65fc08a2d43af5aedd6360cda56842

[Nishnha]

I searched for the error and saw 52 events in the last hour. So it seems fairly common

I think it might be related to this change in Core https://github.com/dependabot/dependabot-core/pull/10944

[broksonic21]

if that ticket is it, looks like it's behind a feature flag. as a customer, can we opt out of that flag in the meantime? or is there a corepack version file we need to have in our repo to avoid this?

[kbukum1]

Hi @broksonic21,

Could I get the lockfileVersion field from package-lock.json file? While we are working on a general solution, confirming this detail would help ensure that our fix addresses the specific issue they're encountering.

CC: @abdulapopoola , @carlincherry

[kbukum1]

Hi @broksonic21 and @carlincherry,

The change has been deployed. If the lockfileVersion field in their package-lock.json is 3, the issue should now be resolved for them. Once we receive this information, we can confirm this has been fixed.

CC: @abdulapopoola

[broksonic21]

.npmrc:

lockfile-version=3

in package-lock:

 "lockfileVersion": 3,

[broksonic21]

This made it way worse unfortunately @kbukum1

One repo is getting lock file v1 locks now, with update PRs for packages that are already up to date

other repos are just plain failing with no noticeable log on why, just say unknown error from dependabot.

I’m happy to hop on a repro call tomorrow if it helps, or even later this evening.

[kbukum1]

Hi @broksonic21 ,

I am unable to view the log because of permission. Will it be possible if you can share logs with me?

URL: https://github.com/broksonic21/dependabot-engine/network/updates/920865298

[broksonic21]

Example pr after this change:

https://github.com/broksonic21/repro-increase-dependabot-grouped/pull/5/files

note: seeing this in every repo, work and personal, that’s on lock file 3.

[kbukum1]

Hi @broksonic21 ,

I checked the last error and I saw the following error. Will it be possible to use rerun the process through Insight -> Dependency Graph -> Dependabot -> by clicking the button "Recent update jobs" for [package.json]?

updater | 2024/11/22 00:11:45 ERROR <job_920865298> Error during file fetching; aborting: /package.json not parseable

[kbukum1]

Hi @broksonic21,

It looks like the problem has been resolved. Please let me know if you encounter any further issues. If everything is working as expected, we’ll proceed to close this issue.

[kbukum1]

https://github.com/broksonic21/repro-increase-dependabot-grouped/pull/5/files

I see the problem here. Checking this one.

[broksonic21]

@kbukum1 I fixed that issue, but it is still broken.

see https://github.com/broksonic21/dependabot-engine/pull/17

it is reverting to lock file 1…

and repos that doesn’t work on are just failing

I can meet at 5:30 your time to show you if that works.

[kbukum1]

Hi @broksonic21,

The feature has been disabled, so it should now work as how it was working before. We are currently investigating the issue on our end to identify a solution. This behavior occurs when running npm 10 on your repository ( or some similar repositories), even though the lockfileVersion is set to 3.

• https://github.com/kbukum1/repro-increase-dependabot-grouped/pull/1)](https://github.com/kbukum1/repro-increase-dependabot-grouped/pull/1

[broksonic21]

@kbukum1 Thanks - I can confirm that fixed our work repos and my test repos - both the ones creating wrong PRs/reverting to lockfile 1, and the ones that wouldn’t run at all (likely because they used a feature that whatever npm/lockfile 1 version was running didn’t support)

Thanks for diligence and quick follow up!

I’ll leave my test repos up and happy to test again if you have a potential fix.

[kbukum1]

@kbukum1 Thanks - I can confirm that fixed our work repos and my test repos - both the ones creating wrong PRs/reverting to lockfile 1, and the ones that wouldn’t run at all (likely because they used a feature that whatever npm/lockfile 1 version was running didn’t support)

Thanks for diligence and quick follow up!

I’ll leave my test repos up and happy to test again if you have a potential fix.

Thank @broksonic21 for reporting that quickly and providing information.

[kbukum1]

@broksonic21 ,

The change is completed and enabled for your test repositories.

• https://github.com/broksonic21/dependabot-engine
• https://github.com/broksonic21/repro-increase-dependabot-grouped

Is it possible if you can check everything is ok? If everything is ok we plan to rollout the feature.

[broksonic21]

@kbukum1 that looks right on my both my test repositories. Let me know after you rollout and we can confirm the work ones too. Else @carlincherry has my contact info if you want to reach out and test their first

[kbukum1]

Thank you for quick check.

I am going to rollout soon. I will let you know when the rollout is done.

[kbukum1]

@broksonic21 ,

The rollout is done. Please let me know if you see any problem in your repositories. If there is no problem found we can close this issue.

[broksonic21]

@kbukum1 work repositories are all working like I'd expect. I think you are good here, I'll let you know if anything changes

[kbukum1]

@broksonic21 ,

Thanks for the support.